Monday, September 26, 2016

Yahoo Verizon Breach Impact on Future M&A

Cybersecurity is likely to take another step in developing a quantitative number as to its value.

Recode probably has the most comprehensive story. Their reporters Kara Swisher and Kurt Wagner are pretty switched on. They report, "In addition, internal sources at Yahoo said the company had been subjected to a number of previous incidents that were not managed swiftly by CEO Marissa Mayer. One executive close to the situation said that former Yahoo information security head Alex Stamos had tried aggressively to get management to act more strongly at the time, but he had not been successful. The well-regarded techie left Yahoo in mid-2015 for a job as chief security officer at Facebook."

Quartz discusses whether Yahoo did or did not know about the breach they announced in September back in July, "In July, a well-known hacker who goes by the name “Peace” told Motherboard that he possessed 200 million Yahoo user details, which were going for 3 bitcoins a pop on a darknet market called TheRealDeal. Yahoo confirmed that it was “aware” of the claim at the time. 

This is the incident that Mayer was aware of in July, as the FT’s anonymous source says: “Marissa was aware absolutely—she was aware and involved when Peace surfaced this allegation in July,” according to the source.

The attempt to verify Peace’s claim then led Yahoo to discover the latest breach, of 500 million user records, according to the FT. Yahoo has attributed this hack not to Peace but to a “state-sponsored actor.” What’s not clear now is when Yahoo discovered the confirmed breach. It seems a safe bet that this discovery happened sometime after Peace made his claims in late July, which is also after the Verizon deal was clinched, on July 25."

But does the When actually matter, the rich question is the impact on the merger, The Washington Post reports, "The dark cloud this casts will be very long and will likely impact the merger agreement," Jeff Kagan, a Georgia-based telecommunications industry analyst, said in an email. "We'll just have to wait and see what happens next."

USA Today, "They (Verizon) are going to get a price discount," said Robert Cattanach, a lawyer who specializes in cybersecurity and data breaches at Washington, D.C. firm Dorsey & Whitney. "I would expect that there will be a fairly sophisticated effort to quantify the materiality of the impact of this breach and there would be some sort and price adjustment."

One possibility is that it will have no impact on the deal or even the selling price, The NY Times reports, "Brian Quinn, an associate professor at Boston College Law School, said Verizon had two main options if it decided to use the hack as leverage in setting the terms of the deal.

“They could say, ‘This thing is huge. We want to walk away from the transaction,’” he said. Were Verizon to try to claim that the breach was so severe it was grounds to terminate the deal, it would have to prove that the hack amounted to a material adverse effect on the value of Yahoo.

Such claims can be difficult to prove in court. According to Mr. Quinn’s reading of the merger document for the deal, Verizon would most likely have to prove that certain high-level Yahoo employees were aware of the severity of the hack before the deal was agreed upon, and intentionally withheld that information."

I have been pouring over the financial analysts reports and they seem to be oblivious to the impact of the breach, but I expect that will change. What is unique in this case is that Verizon has a fairly advanced cybersecurity division. They are uniquely suited to investigate and determine the potential impact to the deal. That said, they have recently suffered their own breachA recent thread posted on a guarded cybercrime forum advertised a database containing contact information for roughly 1.5 million Verizon Enterprise customers for sale at $100,000 for the lot.





Wednesday, September 21, 2016

The GIAC Advisory Board and its relationship to Linkedin

The GIAC Advisory Board is a mailing list. The price of admission is to score 90 or higher on a GIAC exam. In other words, it is a meritocracy.

It was created 15 years ago because the founder of the Global Incident Analysis Center, (er, uh, that too), but actually the Global Information Assurance Certification, realized that certification is hard and that GIAC would need a lot of help and advice to succeed and grow.

Over the years a number of things have happened. GIAC has grown. It is not the largest body of cybersecurity certifications in terms of credentials awarded; that is either ISC2 or CompTia depending on which reference source you use. GIAC is certainly the most comprehensive body of cybersecurity certifications and it is known for technical rigor, so scoring a 90 or above on one of the exams is a significant achievement.

The mailing list is private, to join members sign a Non-Disclosure Agreement. They help each other in a number of ways. In addition to commentary about SANS and GIAC processes, they share exam practice tests, help with insights to hard problems and even discuss security vendor products.

The list can get quite chatty when an interesting thread comes up, so many of the members use the digest mode, (which has its own issues). However, the members that remain on the list feel that the value is worth the trillions of electrons that laid down their life for the cause.

Through most of its life, the list has been both private and obscure, however in October 2015, it had a "coming out" party of sorts primarily on the LinkedIn social network. That state change led to the creation of this blog post, if you are looking at a profile and wonder: "What is the GIAC Advisory Board", here is the answer.

Linkedin is social media designed for professionals to interact. Many people have an account, but most don't use their account actively.  A common use is to find and apply for jobs. Recruiters, including technical recruiters also use Linkedin extensively to find talent. As the original author of MGT 512 and MGT 514, I have moved more away from being a packet ninja
to more of a management speaker. I try to stay in touch with my former students and help them when they need to find a new job, (that is a tough road to hoe when you are a middle aged middle manager). I have found Linkedin is the most effective tool for that task that I have in my toolbox.

One aspect of Linkedin is that it records the state of conversations over years. This provides a potential release from the "Dunbar number", (that you can only maintain about 150 relationships). Over the years, I have found Malcom Gladwell's Tipping Point to be a useful thought model. Brad Hunter explains the Law of the Few as well as I have ever seen it:

"The law of the few is a law about the structure of our social network and how messages are passed through word of mouth. It attempts to classify three important types of people who affect the rapid spread of messages through the network. These three types of people are connectors, mavens, and salesmen."

Word of mouth? Social media has really changed that concept. Word of keyboard? I am trying to collect examples of "perceptors", things that influence or attempt to influence our thinking and beliefs. You can't spend much time on Facebook or Linkedin without seeing something obviously fake like the story of Sgt. Gregory Hayes. I ignore such things on Facebook, I guess that is what it is there for, and unfollow people that post racist untruths on Linkedin. I still remember the first time I met someone that actually believed the photo of President Obama doing the pledge with the wrong hand. The man was convinced, even when I showed him the Snopes writeup.  This give me hope that the things we post will help shape a positive, more secure future.

I am going to try to explain how Linkedin can be used, (with a little elbow grease), for each role, (connectors, mavens, and salesmen).

     "Connectors are the socialites. They are people with many friends and acquaintances who spend time maintaining these connections. From the network perspective, these are the most central nodes in the social network. Gladwell devised a simple test which allowed him to determine that the number of connections a person has is measured by a power law. This means that connectors are rare in society, but they maintain many more times the number of relationships than the average person does. Because of their ability to spread a message to a huge number of people quickly, connectors are central to understanding how tipping points are reached."

Gladwell asserts connectors can exceed the Dunbar number and maintain over 150 active relationships. Every Thursday, I receive an email with the details of persons that scored over 85 on their GIAC exams and are being invited to the SANS Mentor program, (I created this program 16 years ago to help reduce the SANS Instructor shortage problem).

I look up each name on Linkedin. If they are a 3rd level connection, I use inmail congratulate them on their score and ask them to consider linking to me. If they are a second level connection, (we have at least one 1st level connection in common), I write to a common 1st level connection and ask for an introduction. If they are a 1st level connection I try to write and congratulate. This is very manual and takes about two hours a week, but in 2016, I crossed the 10k 1st connection milestone. They aren't all my Best Friends Forever and I am sure I am linked to a few fictitious persons, but this fuels my efforts to serve the community as a maven.

     Mavens are the information gatherers of the social network. They evaluate the messages that come through the network and they pass their evaluations on to others, along with the messages. We can view mavens as regulators of the network because they have the power to control what flows through the network. We trust mavens, and this is especially important because their assessments can often make or break the tipping of an epidemic. Mavens drive many of our social institutions. They are the people who inform the better business bureau, regulate prices, write letters to senators, etc. in order that the rest of us don't have to. Though Gladwell does not argue this explicitly, his description of mavens suggests that mavens can be specialized in areas of expertise and thus many of us may be mavens in our particular areas of interest.

Most people do not use Linkedin actively outside of job searching and recruiting and doing some Facebook style scanning. I try to use my account to share information and ask for information. I have been doing this for years. It has taken a lot of patience but I am finally escaping from the "land of small numbers".

If you have ever blogged, Facebooked, Tweeted etc, you probably notice that you commonly get 30 or maybe even 100 pageviews. That can be disheartening when you think about the hours of research and writing. Fifteen years ago when I was writing books like Network Intrusion Detection, (my co-author Judy Novak was the real reason for the success of that project), ten of thousands of people would read my posts and I was dumb enough to think it would always be that way.

If I write a blogpost on Yogi's training log an average of 18 people will read it. That doesn't bother me, I have to keep this as a record since he is actively in training as a service dog. If I post something on Facebook, I might get two dozen likes. This is what I call the land of small numbers. But Linkedin, for whatever reason, has more firepower. Last year I broke a thousand pageviews, (for a single post), for the first time. Now, with my larger network, it is not uncommon at all for a post or update; "word of keyboard". I try to post useful information, but I am also committed to using my network as a sales and marketing tool.

     "Salesmen are what the name implies. They are persuaders who are capable of propagating messages through the force of their character. Thus, regardless of the message content or their expertise in the area, they have a certain ability to sell which helps them move messages which may be of importance to them. This ability to persuade strangers to accept a message is why salesmen are important in tipping epidemics."

There is a section about sales in MGT 512. The point I try to make is that security does not sell itself, so we have to sell it. If we are going to sell then we need to understand the sales cycle. SANS has been kind enough to allow me to chair a conference, (hope to see you at Rocky Mountain 2017 :), each year. This allows me to keep working on these skills. Direct paper mail and email advertising are only so effective, we know, we measure everything. Linkedin word of keyboard lets me reduce my reliance on these tools.

The GIAC Advisory Board is another tool that I am very thankful for. I have asked for help many times and have tried to give help as well. We suggest that new members post their Linkedin URL and hope they will be open to linking with other Advisory Board members. For myself, for all the reasons I have mentioned this is synergistic. For other people, especially those who don't use Linkedin this is a distraction. Two suggestions:

  • Turn on digest mode if you haven't. This way, during a "Linkedin flurry", you can easily see which posts you want to look at. SANS really can't filter out Linkedin URLs because some people want to see them.
  • Think a bit about the connector, maven, salesperson model. There is no need to be in a hurry to build a Linkedin network, but it is a good idea to do BEFORE you are looking for your next career opportunity.
If you read this far, bless you! Don't be shy about asking to use my network, that is what it is here for. If you are having a hard time filling a job position, I would like to help you get the word out. If you took the time to research something and wrote a blogpost, I would love to put out an update with the URL. And if you are on Linkedin and on the GIAC Advisory Board, please put that in your profile. We aren't Jedi knights or any such thing, but it is something to be proud of; every month or so I get a note from someone saying, "durn it, I scored an 88".


Tuesday, September 20, 2016

How to select a cybersecurity graduate school

Upfront disclaimer, I am biased. I am the chair for SANS Rocky Mountain 2017 and Director of Academic Advising for the SANS Technology Institute. That said, I am going to try to offer a range of thoughts from many sources.


This all started when I received an email from the Senior Editor: at (www.cybersecuritymastersdegree.org), recommending their website as a resource.

I went to their website and it looks pretty good and seems to be balanced. But it got me thinking. What if I enter the search string "how to select a cybersecurity graduate school" into Google.

The top ranked, non-ad, site for that query is the University of San Diego.  They offer commonsense advice, There are a number of factors to consider, including school reputation, teacher caliber, cost and curriculum that can help you narrow down your options.

And they ask an important question, (that I do not think they really answer), So how do you determine what schools have the best reputation in your field?

The number two hit was bestschools.org listing the 25 best online programs. According to them the top three are Penn State, Northeastern, and Boston University. This is clearly proof that the Northeast coast rules the cybersecurity roost. BZZT.

Next up, Cyberdegrees.org, with Regis, Capella and Syracuse. They look even less believable. Sigh.

Let's change the search string to simply "cybersecurity graduate school".

The top ranked, non-ad, site for that query is gradschools.com, they have a filter system and run a number of scripts on your browser, the rank is Kaplan, Syracuse, University of Delaware.

The number two hit was a CSO article and their top three were: American Military University, Carnegie Mellon, and Fordham. At this point, I am fairly sure that everyone but the University of San Diego is making this stuff up.

OK, let's try for some ground truth, for each top 3 school let's Google the name of the school and the word cybersecurity and put them in rank order. I am also going to add Norwich and Purdue because I am familiar with their programs and SANS.

American Military University 1.26M
University of San Diego 980k
University of Delaware 829k
Boston University 770k
Penn State 598k
Northeaster 372k
Purdue 321k
SANS Technology Institute 312k
Carnegie Mellon 302k
Kaplan 262k
Syracuse 224k
Norwich 181k
Regis 137k
Fordham 121k
Capella 71.4k


My next step is to reply back to Shaun McKay, Senior Editor and ask for his take.

Monday, September 19, 2016

Robert Maughan's tips for briefing senior executives

When I asked for help with What does it mean to brief at the CIO level, I got this note by email. I think it is worth reading in entirety. Thank you Robert!

I did a three day how to deal with CXOs course where we were presenting to actual FTSE 100 executives.  It was from the point of view of consultants coming into pitch to the board so not all of it would be relevant to an internal team.  After the course I pulled together a list for reviewing before going into a top level meeting.  After some discussion with other people on the course we ended up with the following.

I have this printed out on a single side of A4 paper for review and read it before any top level meeting.

The single most important of thing to remember is "What is the benefit for the company?"  Stop talking about features of the solution and focus on what it will deliver.

Kind regards

Rob

The only thing you can ever really sell is yourself
  • People do business with people they trust and preferably like


Proper Planning and Preparation Prevents Poor Performance
  • Anticipate objections and prepare to rebut them
  • Empathise with the client and understand their needs

Set an Agenda in advance
  • Be specific
  • Be prepared to go in a different direction if they want to


Benefits Driven
  • Deliverables are features, CXOs buy benefits
  • Talk about what it does for the business and when
  • Where have we done this before and what they got out of it?


Credibility
  • Have case studies
  • Know the benefit delivered by the study


Be Bold
  • There are no shy CXOs
  • Act as an equal if you want to be treated as an equal


Start with an icebreaker
  • This lets everyone settle down before business
  • Helps to build the relationship
  • Let them move things to Business


Always do introductions
  • Yourself.  You may remember them but they see a lot of people
  • Company.  They have talked to a lot of companies since you were last here

Pay attention to their cues
  • Listen for verbal indicators of interest or disinterest
  • Watch for body language indicators as well
  • Did they just hint at information you should dig for?
  • Did they just reference an opportunity you were not aware of?


Always summarize
  • Make sure you both had the same meeting
  • Confirm follow up action for both sides

Send a thank you
  • Courtesy cost nothing and increases chance you will be remembered
  • A chance to confirm the next steps in writing

A pair works better than someone flying solo
  • One to talk and one to listen/watch
  • Someone to help you recover if you fumble


Saturday, September 17, 2016

What does it mean to give a security presentation on Cyber Threat Intelligence at the CIO level?

A team of cybersecurity experts was recently asked to explain the results of their research in Cyber Threat Intelligence to a CIO panel. Thirty minutes was set aside in a meeting for the presentation and Q&A. They spent seven of the minutes running a simulation of a scan. The CIO asked them to terminate the presentation and leave the room. She turned to the director for cybersecurity and said, reschedule, but only after you have explained how to give a presentation to executives.

Problems should always be categorized as common cause, (happens a lot), or special cause, (once in a lifetime). Sadly, poor security briefings are common cause. 

As toolbox puts it:
During my career I've seen security presentations evolve from symbols chiseled on rocks, to puppet shows, to large paper pads on easels, to vector-graphic infested Powerpoint presentations to cinematic-quality 720p slideshows.

And they still stink.

Two suggestions that the author makes are:

  • Keep the number of slides to an absolute minimum. I use a "1 for 2" rule (and even that is generous) - one slide for each two minutes of speaking.
  • Sell, baby sell. Sell the message of your presentation. It should be very clear in your last few minutes of your presentation because you used the outline format I recommended, right? Keep your summary clean, clear, and to the point. I always find that ending on a humorous note tends to garner much higher scores on post-presentation scorecards.
NOTE: Keep in mind that the most important thing to sell is yourself; people do business with people they trust and hopefully like.

CIO magazine points out senior executives are concerned with strategic issues and may be irritated by technical and tactical presentations, The article goes on to say:

Just as your message should be succinct, so should the supporting visuals. One common mistake CIOs make is dumping every piece of data they have into a PowerPoint presentation and dragging the board through every bit and byte. 

Stephanie Woiciechowski, a member of the GIAC Advisory Board, has this to say about strategic thinking. Having been a hands on bits + bytes person, the strategic perspective is something I just began to understand a few years ago because "strategy" when you're hands on and focused on your job means something different to you than it does to the C-level types. 

I tried to listen to advice and present a strategic perspective but I didn't know enough about how my team fit in the larger picture and what that larger picture was. It's hard to understand how the details you find fascinating aren't strategic at the C-level and it's hard to understand how to the C-levels can make strategic decisions when they don't understand the details.

Senior executives like the CIO are involved in the organization's strategic planning process. There are many definitions for strategic planning, but a common one is the set of strategies to achieve the organization's vision for two to five years from now. Tactical thinking, which is common for cybersecurity professionals, are the activities to be accomplished between now and and a year from now. It is completely true that the strategies that make up the strategic plan depend on tactical activities. However, senior executives are responsible for more than cybersecurity, they have to lead the entire business. When briefing them about tactical activities, be sure to tie the discussion to the strategies of the business. As Robert Maughan puts it, The single most important of thing to remember is "What is the benefit for the company?"  Stop talking about features of the solution and focus on what it will deliver.

This Harvard Business Review blogpost summarizes all the tips succinctly.

A SANS Reading Room paper by Jeff Hall suggests using the pyramid principle. If you have ever heard me teach, you know that when I start a new section by saying, "let me tell you the bottom line first." The tip of the pyramid is the message or theme to be communicated. Underneath the time are the supporting facts. The further down you go, the more detail is offered. When briefing senior management expect to brief the tip, the first level down and conclude by restating the tip. However, be prepared to answer questions on any part of the pyramid.

Anticipating questions is an important part of presentation preparation, pragmaticcloud suggests:

When preparing for a meeting or presentation it is also beneficial to view things from the senior managers’ perspective and try to anticipate questions they may ask.  For example, if preparing for a presentation ask yourself what questions may be asked about each and every slide, and about the presentation or topic overall.  Then prepare answers, in executive summary form (less is more), for each of the questions.  It is amazing the difference this can make in the level of confidence you will have in yourself, and the executives will have in you in return. 

NOTE: Anticipating questions is extremely important, but don't forget to prepare to address objections as well.

Three weeks later the team of security researchers returned to the boardroom. Their presentation was better, but the question handling was still below par. The CIO's first question was about the business case. So, you’ve identified a problem and devised a solution.  Quantify, or qualify, the risk for me vis-à-vis the cost of fixing it.  Is this worth doing?

The researcher that gave the presentation identified a range of possible motivations and actors, and offered an overall recommendation to configure the system to log and report significant events, followed by analysis and correlation to include a deep dive if indicators are seen.  He proposed only one course of action, with no alternatives (better, quicker, cheaper, more risky, whatever) on offer.  He could not offer any real sense of the cost of the problem vs. the cost of the fix.

The second researcher identified a potential ideology motivation by way of the GIAC Enterprises, the largest provider of fortune cookie sayings in the world, presence in Indonesia.  He also identified potential to modify fortunes to put out a hacktivist message.  His recommendation went down a Cyber Threat Intelligence road, in that he proposed to use this methodology to figure it out and devise an incident response plan.  This offered course of action went into zero detail, didn’t explain what CTI was beyond, apparently, a silver bullet with no cost and no risk.

 After they left the room, the CIO turned to the director for cybersecurity and said, can you work with you people to find out  if what you are proposing might be an ideal solution, but is there possibly an easier or cheaper option that could be acceptably effective?  (Alternatively, if they have identified a minimal solution, “How would the ideal solution look and what would it require?”) Please write up a one page paper summarizing the information and send it to me.

The entire ordeal changed the director for cybersecurity's perspective. He began to study the art of presentations to executives. One article he found stated, Executive boards are always looking to answer the question “how secure are we?” So he created a presentation that answered that question, kept it up to date and stayed prepared to address the question in ten minutes or less. When GIAC Enterprises finally grew to a size they were ready to create a CISO position, he was offered the job.


Wednesday, September 14, 2016

SANS MGT 512.1 Study Questions


Management is doing things right; leadership is doing the _____ things. 
right


With Bobby Fisher's King’s Indian strategy, every ______ was in support of his overall strategy .
move or  tactical decision are both correct answers.


What is the Bias Blind Spot? 
Human beings tend to believe that our self-assessments are always more accurate even when presented with objective data that demonstrates how those assessments may have been biased.
( This may not be in the course yet, And while we can see the bias in other people, we can’t see it in ourselves. )

Define: MoSCoW
 “Must,” “Should,” “Could,” “Won’t”

Define: TL:DR
Too Long: Didn't Read

What is the primary reason for a project charter?

The charter primarily documents the authorization granted or bestowed upon the project manager by the management to accomplish the project.

When a project manager hears the expression While you are at it....” or "That's nice, but" their ears should perk up because the speaker is probably suggesting _____ _____.
scope creep

What is a MAC flooding attack?
A MAC flooding attack seeks to overwhelm the CAM table of a switch, forcing the switch to begin sending all packets to all ports. Macof, part of the dsniff distribution, is an example of an attack tool that facilitates this.

= The notes do not specifically define VLAN tagging attacks.


How do spanning tree election attacks work?
Spanning tree election attacks can be used to create both confidentiality and denial-of-service conditions. If an attacker has access to switch ports that are able to become trunk ports, he can introduce a rogue switch into the network that claims to be "priority 0”, (the best link). The spanning tree protocol reconfigures to favor and cause all traffic to cross through the attacker's switch so he can sniff the traffic and since higher bandwidth links will be diverted to his link it slows the network down. 

Important Knowledge Skills Abilities (KSAs) for successful CISOs

For the past few months I ran an open survey of Linkedin connections and the GIAC Advisory Board to determine the Knowledge, Skills, Abilities, (KSA) a successful CISO must have. Then we ran a survey, (thank you Barbara Filkins), to measure the Importance, Criticality and Frequency of the skills. This post covers the importance, (core), KSAs.

The 61 survey participants ranked each element between 1 and 5 where: 1 = Least important 2, 3 = Important  4, 5 = Most important

Tier 1 Most important


  • Able to build relationships and partner with Directors and Board members, particularly outside of IT 4.51
  • Ability to understand the balance between risk and security, and how to integrate this into a given organization. Able to facilitate discussions about risk. 4.44
  • Clear understanding of which battles to fight, ability to prioritize when there is always more work to be done than time or resources. 4.38
  • Able to integrate with the company's mission, and with other division's agendas. Understands the business. 4.36
  • Build and take care of the team you are privileged to lead 4.33
  • Ability to effectively communicate technical information to non-technical audiences.   4.32
  • Ability to tie business context/concept to data protection and technical components within the IT and InfoSec space. (Note: A person doesn't need to be an expert, he/she needs to be able to connect these dots for other business leaders). 4.30
  • Liaison between technology and the business, collaboration focused. 4.30
  • Ability to attract and retain top tier technical talent as well as develop less experienced team members 4.23
  • Work well under pressure 4.18
  • Broad knowledge of cybersecurity principles, ranging from technical to human to physical. 4.10
  • Creative thinking, able to apply adaptive strategic and tactical thinking. 4.08
  • Mentor and communicate (up and down) 4.02

Tier 2 Important


  • Capabilities focused, not vendor/tool focused 3.98
  • Life long learner 3.97
  • Humility, capability to admits that he/she doesn't know everything 3.95
  • Build and manage relationships both inside and outside the organization.  (Think Tipping Point connector.) 3.85
  • Incredible organizational ability to keep people on task and focused in order to build, design, deliver, and expand the information security program. 3.79
  • Ability to grow the team as the organization grows. 3.79
  • Ability to prioritize and triage incident response and vulnerability remediation in a calm balanced manner. 3.74
  • Deep knowledge of the cyber threats we face today and tomorrow. 3.60
  • Ability to produce and manage to a budget 3.59
  • Design, build, manage an effective security awareness 3.58
  • A sense of humor. 3.39
  • Expert experience in at least one cybersecurity discipline 3.13

Tier 3 Less Important


  • Resume demonstrates loyalty to organization, a good CISO does not job hop 2.74
  • Advanced degree (Note: Masters degree preferred, especially MBA) 2.08


About the survey


Job roles of survey participants















Industry of survey participants















Organization size of survey participants















Geographic regions of survey participants














What is next for this project?


I am going to try to use Linkedin and the GIAC Advisory Board to collect some qualitative information to see if these KSAs can be broken down further and also to seek wisdom on how to approach the most important KSAs.

About the author:


Stephen Northcutt is Director for Academic Advising at the SANS Technology Institute and chairperson for SANS Rocky Mountain 2017, June 12, in Denver.